I have a question about control A.12.6.1 handling of technical vulnerabilities (inside the SoA table). In the column „reason for selection / exclusion“ I could basically enter almost any risk from the risk assessment table. Cause a lot of risks are based on technical things. I'm guessing that's not the way to go(?) For some other controls out of this table I have chosen general statements as the "reason for selection / exclusion“ without mentioning the concrete risks out of the risk assessment table. Would that make sense with control A 12.6.1, too?